\chapter{Intrusion Detection Systems}
\label{cha:IDS}
 
\section{What is a Intrusion Detection System?}
Intrusion Detection System(IDS) is a software application that detects unwanted manipulations by attackers to computer systems, mainly through a Network. IDS could detect when an attacker has successfully compromised a system by exploiting a vulnerability in the system. The IDS could then report the incident to security administrators and  log information that could be used by the incident handlers.
 
A common attribute of IDS technologies is that they cannot provide completely accurate detection. When an IDP incorrectly identifies benign activity as being malicious, a false positive has occurred. When an IDPS fails to identify malicious activity, a false negative has occurred. It is not possible to eliminate all false positives and negatives.
 
IDS can be defeated by either \emph{Evading} or \emph{Attacking}. Evading an IDS is done by disguising the malicious activity so that the IDS fails to recognize it. Attacking a IDS is by tampering with the IDS in a way that it will not be able to detect or report malicious activities.
 
\section{Types of Intrusion Detection Systems}
 
IDSs are divided into types based on the type of events they monitor and the ways in which they are deployed.
 
\subsection{Network Based IDS (NIDS)}
NIDS identifies intrusions by examining network traffic and monitors traffic of multiple hosts. NIDS operate by monitoring all incoming packets to finding suspicious patterns and also inspects outgoing traffic for valuable information communicating on the network.
 
\emph{NIDS have higher attack resistance but does not have the ability to detect the activities happening on the monitored hosts.}
Even if the Hosts are compromised the NIDS will be trustable and will be having the limited visibility to the Hosts.
 
 
\subsection{Host Based IDS(HIDS)}
HIDS monitors the state and the events occurring within that host for suspicious activity. Some of the things analyzed are system calls, application logs, file-system modifications (binaries, password files,  databases).
HIDS are usually deployed on publicly accessible servers and servers containing sensitive information, therefore it is sure of getting attacks.
 
\emph{HIDS have the ability to monitor that activities happening on the host(Good Visibility) but is open for attack. }
If the Host is compromised the HIDS too is bound to be attacked and ones it is under attack it wont be able to detect intrusions anymore.
 
 
 
 
\section{Intrusive Activities}
\label{sec:IntrusiveActivities }
Implementation of a Intrusion Detection System should know what are the possible types of attacks that are possible to come its way. This section will describe the types of activities the IDS will have to capture and tolerate. Using this knowledge we can understand what type of activities happening in a system should be detected and prevented to implement intrusion detection and prevention.
 
\subsection {Rootkits}
Ones the attackers have gained access to a System, they need to hide their activities from being detected. For this purpose attackers inject rootkits which replace or modify the System Binaries, replace system libraries with trojanised versions, modify kernel data structures to provide stealth \cite{rootkits}.  
 
Binary Rootkits replace binaries of system utilities so that the malicious processes, files, ports open, etc... can be hidden.
Kernel Rootkits hook into the kernel and modify system calls, kernel memory image, system call tables. These can be injected by Loadable Kernel Modules.
Library Rootkits replace the standard system libraries.
 
\subsection{Attack Approaches}  
The ways in which the above compromises are introduced into the system are as below.
 
By gaining root access to the system, then by a Loadable Kernel Module rootkit can be loaded and then it will change the kernel data structures.
The changes in the kernel that rootkits can cause,
 
\begin{description}
\item[Process Hiding]
\label{item:processHiding}
Kernel uses data structures to display the list of processes that are executing on the system. Modifications to these data structures can hide the malicious processes from being displayed.
 
\item[System call Interception]
Kernel mode privileged instructions has the ability to access the entire address space. The activation of the Kernel Mode is done by a system call, these system calls can be intercepted by either \emph{modifying the entry for the system call handler's address in the system call table} or by \emph{Modifying the System call handler code.}
 
\item[Interrupt Hooking]
Interrupts raised in a system are handled by invoking the proper Interrupt handler based on the Interrupt Descriptor Table (IDT). Rootkits can be executed instead of the proper Interrupt Handler by \emph{Modifying the entry in the IDT to execute the rootkit} or \emph{ Modifying the First few Instructions in the interrupt handler to invoke the rootkit.}
 
\item[Modifying the Kernel Memory Image]
Interfaces provided to writing to the Kernel can be used to modify the kernel to execute malicious code.

 
\end{description}
 
 
 
\section{Detection Methodologies}
IDSs use multiple detection methodologies, to provide accurate detection.
The classes of detection methodologies as described in the Standards Institute Special article \cite{GuideIdps} are as follows,
 
\subsection{Signature Based}
Compares known threat signatures to observed events to identify incidents. This is only effective in detecting known threats.
 
\subsection{Anomaly-based}
compares definitions of what activity is considered normal against observed events to identify significant deviations. This method uses profiles that are developed by monitoring the characteristics of typical activity over a period of time. The IDS then compares the characteristics of current activity to thresholds related to the profile. Anomaly-based detection methods can be very effective at detecting previously unknown threats.
 
 
\subsection{Stateful protocol analysis}  
This analyses the State of a protocol in the same way as in the Anomaly based Detection.  
 
 
 
\section{Problems prevailing in IDS}
 
 
As mentioned above the IDS are open for attack where ever they may be running from. Ones the IDS is attacked or if it crashes there needs to be proper fault tolerance measures available to guarantee that the hosts are not being attacked during the failure time.  
 
If a HIDS crashes it is impossible for all system activity to be suspended since it relies on the System to resume the crashed IDS.
Ones the IDS is crashed the whole system will have to be crashed or the system will allow the attacker to fully exploit the system.
 
 
If a NIDS crashes it will be necessary to suspend activities of all the Hosts being monitored by it. NIDS restart would amount to a big denial of service attack.
 
The IDS under discussion in this survey will have the architectural features necessary to successfully tolerate faults, keeping the Monitored Hosts safe from attack.
 
 
 
